The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Additional opportunities to prevent email abuse through domain matching?

Discussion in 'E-mail Discussions' started by jerrybell, Apr 20, 2014.

  1. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I've had an unfortunate string recently with email accounts being hijacked by spammers and used to relay spam through my server. I don't know if the spammers are getting the email through malware on the PC of the account owner, sniffing wifi connections, or offering chocolate bars to the users, but it's happened 3 times in about 6 months.

    In any event, I noticed that in each case the spammers are using a completely fake from address - usually @aol.com or some other big name domain.

    It seems to me that I should not be allowing email to be sent through my server where the domain in the from address is not a local domain or some domain that I explicitly allow. Is there an option to enable this kind of restriction?

    It would be even nicer if I had the option to limit authenticated senders to only sending from the address they authenticated with. So, if I auth with the name "jerrybell@mydomain.com", I can only send email where my from address is "jerrybell@mydomain.com". Is there a reasonable way to do this?

    Thanks much!

    Jerry
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may find the following option in "WHM Home » Service Configuration » Exim Configuration Manager" under the "Mail" tab useful:

    "EXPERIMENTAL: Rewrite From: header to match actual sender"

    Per it's description:

    "If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected."

    Thank you.
     
  3. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    I didn't test this, but theoretically you can add this to the ACL section of exim.conf (WHM -> Exim Configuration Manager -> Advanced)

    Code:
    acl_check_sender: 
       accept authenticated = * 
       deny !sender_domains = +local_domains 
    

    This would basically make sure the sender is a local domain on the server, but will not go as far as matching the email addresses.
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Vanessa - that's really useful. Is there a way to provide a specific message? I'd like to track a resulting log message and use that to disable that SMTP user as they've obviously been hacked.
     
  5. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    This might work (again, didn't test. I'm sorta lazy):

    Code:
    acl_check_sender: 
       accept authenticated = * 
       deny !sender_domains = +local_domains
       log_message = "Sender domain does not match authenticated domain."
       message = "Sender domain does not match authenticated domain."
    
     
  6. Dayneuske

    Dayneuske Registered

    Joined:
    Apr 26, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am having the same issue as OP and would love to implement the fix proposed by vanessa.

    However, I am not able to find the "acl_check_sender:" section of the advanced exim configuration manager. Doing a search for the setting has not helped any either.

    Can you tell me if this is a custom acl that needs to be added or if my version of the advanced exim configuration manager is messed up?

    If there is documentation on this setting can you provide the link and let me know the search terms used to find it? (Always looking to improve me search skills)
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...
Similar Threads - Additional opportunities prevent
  1. ravalli
    Replies:
    1
    Views:
    114
  2. Chris84
    Replies:
    7
    Views:
    425

Share This Page